post implementation issues

8/8/2019 Post Implementation Issues

1/24

Post Implementation Issues

Has the IT Department taken the required consequential action for Back ups andDisaster Recovery?

Has IT Department introduced a system to track problems reported by users?

Is there a system of measuring vendors support with the agreed service levels?

Is there an identified System Administrator who is responsible for managing accessto the system, back up and ensuring data base controls?

Audit at Application Level

Are operational controls such as distinct user passwords are in place and are

enforced?

8.21 Whether necessary Regulatory Compliance requirements have been taken into accountby the user?

8.22 Whether SRS has taken into account the Error / Fraud / Disclosure / Interruption /

Organisational Risks etc.?

8.23 Whether input / output controls are in place?

8.24 Are validation controls are in place, viz. Field / Transactions / File with appropriate errorreporting?

8.25 Are appropriate data classifications with security in place, viz. Read only for users, Read/ Write for authorized persons?

Is audit trail built into the systems?

Does the system provide for exception reporting ?

Whether adequate firewalls set up to ensure that any outside access being provided

islimited in scope ad does not intrude on sensitive data areas?

8.29 Whether user acceptance is recorded along with test plan data / test data / test results for

future reference?8.30 Whether the users sign off has been obtained?

Network Security

10.7 Check if the system being audited trusts other hosts for providing logon access to similar

user accounts (same user account in the system being audited and the host system) in

both the systems without supply of password. If so, ensure that it has been implemented

in accordance with IT / CPPD guidelines only

Check if remote logon is enabled and if so, whether it is as per the guidelines of

CPPD /

IT Department. Ensure that the users logging on from remote locations are identifiable by

terminal IDs / IP addresses. Check if remote logon through services such as ftp, telnet, etc. is disabled. If not,

ensurethat the same has been implemented as per IT security policy of the Bank.

User Account Maintenance

Each and every user ID in the operating system level should have been created onlyafter


2/24

specific approval of the Branch Manager / Department head in writing on a request form

signed by the respective user. Verify whether such approval is in place for all the active

user IDs.10.11 Apart from the approved request forms, the Branch / Office should be maintaining a user

profile register with details such as,

Employee Name

Designation

Employee Number

Date of joining the Branch / Office

User ID allotted

Date of creation of user ID

Date of deletion of user ID

Signature of the user

Initials of the DBA

Initials of the BMVerify whether the above mentioned register is maintained. All the entries in the register

should be accounted for in the list of active user IDs obtained from the operating system.

Check that with the exception of reserved user accounts created for the internal useof the

operating system, RDBMS, Application system, etc., all other user accounts are uniquely

identifiable by the respective users personal name. In other words, generic user accounts,which cannot be attributed to any individual, should not be allowed. Verify this and

comment.

10.13 Check the operating system user IDs which have security equivalence to Super User and

ensure whether they are permissible as per CPPD / IT Department guidelines.

Check whether all the user IDs are protected with passwords.

With the exception of Super User account, check whether all default system loginaccounts are disabled. In other words, ensure whether all default vendor accounts shippedwith the Operating System have been disabled. This should be checked after each

upgrade or installation.

Check the list of active user groups and ensure that general users are not membersof

sensitive / privileged user groups which have higher privileges.

Logical Access Controls

10.17 Ensure that access to operating system command prompt is disabled for general users in

the Branch / Office.

10.18 If some or more of the system administration related activities are driven through amenubased

utility assigned to any user ID, which is privileged, ensure that such ID(s) cannot

be used to bypass login security and access the command prompt.10.19 Ensure that the file pertaining to each user containing login parameters cannot be

modified by the respective user.

Ensure that any user other than the Super User cannot modify the system activitylog file.


3/24

Check whether access rights to system files, application executable program files,

application data files, utilities, application parameter files, system/database

configuration/initialization files, etc. have been adequately controlled to allow read /write / execute / modify, etc. as the case may be to appropriately authorised users on need

to know, need to do basis.

10.22 Obtain a list of world writable (directories / folders with access to every user) directories/ folders in the system and ensure that they have been set only in accordance with IT /

CPPD guidelines.

Verify the access rights settings for the users home directories and ensure that they arenot owned by any ID other than the actual user. Also, ensure that users home directory

cannot be accessed by any other user.

System Administration

10.24 Ensure that the facility to logon as Super User is restricted to system console for security

reasons.

10.25 Check the password definition parameters included in system and ensure that minimumpassword length is specified according to the IT security policy of the Bank (ideally,

atleast 6 characters).10.26 Ensure that the maximum validity period of password is not beyond the number of days

permitted in the IT Security policy.

10.27 Check whether the parameters to control the maximum number of invalid logon attempts

has been specified properly in the system according to the security policy.10.28 Check whether password history maintenance has been enabled in the system to disallow

same passwords from being used again and again on rotation basis.

Verify if the parameters to control the password format has been properly set accordingto security policy of the Bank.

10.30 Verify the parameters in the system to control automatic log-on from a remote system

and ensure whether they have been properly set according to security policy.10.31 Verify the parameters in the system to control the number of concurrent connections a

user can have simultaneously from different terminals and ensure that it is restricted as

per CPPD / IT Department guidelines.10.32 Examine the terminal inactive time allowable for users and verify if the time set is in

accordance with the guidelines.

10.33 If minimum password validity period is not set properly, verify the latest date of change

of privileged passwords including Super User and ensure that the password is not too old,in any case not older than a month.

10.34 Check whether automatic logging of user activities is enabled.

10.35 Check for unexpected users logged on to the system at odd times.

Maintenance of sensitive user accounts

Ascertain as to who is the custodian of sensitive passwords such as Super User andverify if he/she is maintaining secrecy of the password, whether he/she has preserved the

password in a sealed envelope with movement records for usage in case of emergency.

From the log file, identify the instances of use of sensitive passwords such asSuper User


4/24

and verify if records have been maintained by the Branch / Office with reason for the

same. Ensure that such instances have been approved by CPPD / TBC Group / IT

Department and whether Branch Manager, Password Custodian and DBA have signed therecord.

From the log file, identify the instances of unsuccessful logon attempts to Super

Useraccount and check the terminal ID / IP address from which it is happening. Check if

appropriate reporting and escalation procedures are in place for such violations.

Logical Access Controls

Does the software allow creation of user-IDs in the same name more than once?

Does the software encrypt the passwords one way and store the same in encrypted

form?

Does the software display the password as it is keyed in?

Does the software lock the user-ID if it is used for 3 unsuccessful times to logon to

thesystem?

Does the software force the User to change the password at set periodicalintervals?

Does the software maintain password history i.e., does not allow the same

password to beused again on rotation basis?

Is there any audit trail for the maintenance of User profiles?

Does the software have provision to create and maintain user-IDs based on usersdesignations and positions held?

Can DBA change others password? If so is it reflected in the audit trail?

If a user-id record is deleted, does the software delete it physically or logically?Does the

software capable of producing a report of logically deleted User-IDs?

Does the software have provision to restrict different menu options to different

user-IDs

based on user level (based on designation / powers, etc.)?

Does the software have provision for defining access rights to users such as, Read

Only,

Read and Write, Modify, Delete, etc.?

Verify who can do the User Profile Maintenance? Does the system give facility togeneral users also to do user profile maintenance?

Does the software tag each and every transaction with the user-IDs of maker and

checker?

Does the software allow the same user to be both maker and checker of the same

transaction? If so, does the software produce an exception report of transactions with

same maker and checker IDs?

Are the User-IDs reflected in the contents of the report printed?


5/24

Does the software allow automatic logical deletion of inactive users after certain

periodof time?

Does the system maintain password length to be of minimum 6 or 8 characters or

as

indicated in the password policy? Can the user-IDs be created without passwords?

Does the system limit the maintenance of system control parameters to privileged

userlevel having sufficient authority only?

Input Controls

Whether each transaction is recorded in such a way that it can be subsequentlyestablished that it has been input (e.g., Tran ID etc)?

Does the software have controls to ensure that all recorded transactions are,

.22.1 Input to the system and accepted once and only once.

.22.2 If transactions are rejected, they are reported.

Are there adequate procedures to investigate and correct differences or exceptionsidentified? Are there adequate procedures to investigate and if necessary, correct thefollowing: -

Missing and possible duplicate transactions disclosed by the input control

Rejected items

If corrections are made to rectify differences, exceptions, duplicate transactions,

missing

transactions and rejected items, are they approved (e.g., maker/ checker, exception report,

etc.)?

If the input of data is through batch upload, does the software have controls to

ensure that all the entries in the batch have been uploaded without any omission/

commission (e.g., reconciliation of control totals, etc.)?

Does the software have adequate controls to ensure that, data have been accurately

input

(e.g. range checks, validity checks, control totals, etc.)11.27 Verify the controls to ensure compatibility of data when they are input at two or more

modules and are correlated. (e.g. if the customer category in customer master is stated as

Staff, the rate of interest in the account master for the same customer should haveappropriate code applicable to staff and system should not allow other codes).

Verify the consistency/concurrency of user inputs, if two users are accessing the

same

record at the same time.11.29 Verify if the inputs can be captured for various conditions. (e.g. if signatures can be

captured for single A/c, Joint A/c etc).

11.30 Verify the controls over system-generated transactions through user processes (e.g.verification of outputs containing system generated transactions and authentication by

branch officials).

11.31 If user controls are relied upon to ensure the controls over complete and accurate input of

data, are these controls adequate and operative continuously?


6/24

Processing Controls

Does software have adequate controls to ensure that all transactions input haveupdated

the files?

11.33 If user controls are relied upon to ensure the controls over complete and accurate update

of files with data, are these controls adequate and operative continuously?Are there adequate procedures for investigation and correction of differences or

exceptions identified by the controls over update for completeness and accuracy?

11.35 Are such corrections approved?11.36 List out the events that cause the transaction to be generated (e.g. input of a parameter

such as a date, attainment of a condition, etc.), the key data used as a basis for the

generation, and the programmed procedures that perform the generation. (e.g., in theinterest calculation process, generally, the user will run the interest run job and the

system will take the customer balances (key data) and apply interest rates (key data) and

debit/credit the interest. The program, which performs these activities, should be logically

sound so that no processing errors are introduced).

11.37 For the key data outlined above, are there adequate controls to ensure that the key dataused as a basis for the generation of data are complete and accurate?

11.38 Where applicable, whether the key data is authorised by appropriate level of users andkept secure?

11.39 For the programmed procedure that generates the data, if user controls are relied on to

check the accuracy of the generation process, are these controls adequate?11.40 Are there adequate procedures to investigate and correct any differences or exceptions

identified by the controls over the completeness and accuracy of generation? Are the

corrections approved?

Is there any restart facility for batch jobs if they terminate abruptly? Are therecontrols to

ensure that no errors are introduced during restart? Is the User-ID of the person who executes the batch job embedded in the

transactions?

11.43 If the process has to be done only once, does the software ensure that the process is not

executed more than once?

Is there any day begin, day end process? If so, are these processes logically sound

to

carry out the designed objectives completely and accurately?

Are the transactions for the day identifiable?

11.46 Does the software ensure sequencing of processes? i.e., does the software ensure that

processes are not initiated out of sequence.

If certain processes are compulsory, does the software ensure that all suchprocesses are

completed before triggering the day end process?

Verify if there is an event log for the batch processes.

Verify if the application is able to handle processing at peak times (e.g. is the

application

capable of handling progressively increasing volumes).

Verify if software maintains audit-trail to uniquely trace any modification/


7/24

deletion/addition with user-ID.

If updates occur in more than one file or table, if the process interrupts, verify ifthere is a roll back.

Verify if the application maintains adequate control over security items such as

DDs /

Pay Orders / Branch advices, etc.? Are they reconciled and exceptions identified andreported?

Output Controls

Verify the format, contents, accuracy and utility of the reports generated by thesystem.

Verify if there is any provision for generating exception transactions statement

from thesystem.

If the output has more number of pages and if printing is interrupted, is there any

provision to restart the printing from that page.

Verify if outputs can be viewed/generated by users only on need to know basis. In

otherwords, check whether outputs cannot be generated by all and sundry users in the system.

Check the controls exercised by the user (Branch / Office) on the generation,

distribution,

authentication and preservation of computer outputs and comment on the adequacy of the

same.11.58 Check whether the application is keeping adequate controls over computer generated

outputs lying in print queue / spool.

11.59 Does the output contain key control information necessary to validate the accuracy andcompleteness of the information contained in the report such as last document reference,

period, etc.?

Interface Controls

11.60 If the data has to be transferred from one process to another process, verify if no manual

intervention is possible and no unauthorised modification to data can be made.11.61 Verify the mode of transfer of data from one process to another i.e. through floppy or

through mail.

11.62 Verify the effect when one process is down and the interface is working

11.63 Is there a periodic system of ensuring consistency of data from process from which it istransferred to the process to which it is transferred?

Authorisation Controls

11.64 If the transaction is authorised by software itself under specific conditions, are the

programmed procedures logically sound to ensure that all authorisations take place asexpected only.

Does the software prevent the same user from performing both the functions of

entering atransaction and verifying the same?

If transactions are authorised manually, are there controls to ensure that a) they areproperly authorised by an independent and responsible official and b) no unauthorised

alterations are made to authorised transactions?


8/24

11.67 If manually approved transactions are authenticated by the input of a password, are

passwords adequately controlled?

Do access rights reflect the appropriate authority limits?

If the transaction is identified by the system as requiring supervisory approval and

is,

therefore, routed to a queue file pending review and release by a responsible official, arethe procedures for identifying items needing approval adequate to identify all such

transactions?

Data Integrity / File Continuity Controls

11.70 Whether hash total is used to verify the continued integrity of data? Is the total of the

items on data file regularly reconciled to an independently established total (e.g.

agreement to a manual control account or computer agreement to a control record) on asuitable timely basis to ensure that there is no tampering of data.

11.71 Are there adequate procedures to investigate and correct differences disclosed by the

above-mentioned reconciliation.

11.72 Verify if the entire record after commit can be physically deleted (it should not beallowed).

11.73 If the software keeps record of security items, are there adequate controls to ensure thecomplete and accurate recording of security items in the system?

11.74 Are the programmed procedures, which utilise the security items in the system, logically

sound so that there are no errors?11.75 Are all asset movements supported by suitable written authorisations?

Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 46

12. Database Controls

It is important to ensure the following with reference to databases:

Database is physically secure and free of any corruption Access to the database is restricted and permitted only to authorized personnel

Referential Integrity of the data is ensured at all times

Accuracy of the contents of the database is verified periodically

Database is also technically verified periodically, in terms of storage space, performancetuning and backup

Backups of the database are periodically retrieved and ensured that they are in order

This checklist is divided into following areas

Physical access and protection

Referential Integrity and accuracy

Administration and House Keeping

Physical access and protection12.1 Is there a list of databases with the names of administrators which the bank recognizes:

(a) Mission Critical Systems such as Internet Banking, Core Banking etc., ATM Base 24Database

(b) Essential Systems such as Credit Card Processing Systems (Which operate on the

near online mode)(c) Reporting Systems such as Data Warehouse, EIS Reporting

12.2 Is there joint responsibility of the user department and the IT Department for


9/24

administration of mission critical databases?

12.3 Does IT Department identify and segregate hardware hosting these databases and

whether these hardware resources have been year marked?12.4 In case if the same hardware is used at branches or other locations whether there is clear

partition between application area and data area?

Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 4712.5 Does the IT Department have a laid down standards / conventions for database creation,

storage, naming and archival?

12.6 Are Database administrators at responsible levels in the bank?12.7 For database access, is the OS level file and directory permissions restricted as required

for the application?

12.8 Are users denied access to the database other than through the application?12.9 Whether use of triggers and large queries monitored to prevent overloading of database

and consequent system failure?

12.10 Are direct query / access to database restricted to the concerned database administrators?12.11 Are all vendor-supplied passwords to the default users changed? Have all demo user and

demo databases removed?

12.12 Are there controls on sessions per user, number of concurrent users etc?12.13 Is creation of users is restricted and need based? Are the rights granted to various users

reasonable and based on requirement?

12.14 Is the database configured to ensure audit trails, logging of user sessions and session

auditing?12.15 Does the administrator maintain a list of batch jobs executed on each database, severity

of access of each batch job and timing of execution?

12.16 Are Batch Error Logs reviewed and corrective action taken by the Administratorperiodically?

12.17 Is there a separate area earmarked for temporary queries created by power users or

database administrator based on specific user request?12.18 Are temporary sub databases created removed periodically or after the desired purpose is

achieved?

12.19 Does the design or schema of all tables / files in database contain fields for recording

makers, checkers and time stamp?12.20 Are database administrators rotated periodically?

12.21 In cases where customer data is provided to external service providers does the bank

haveconfidentiality undertakings from these service providers?

Referential Integrity and Accuracy


12.22 Are there standard set of database control reports designed in consultation with the user

department for ensuring accuracy and integrity of the databases?

e.g.:a) Total of transactions and balances;

b) Record Counts

c) Hash Totals


10/24

12.23 Are these reports run directly from the back end database periodically and the results

both

positive and negative are communicated by the Administrators to Senior ManagementPersonnel?

12.24 Are these reports run periodically and taken directly by the User Department themselves

to ensure accuracy?12.25 In case of automated interface between systems is there a system of reconciliation

between the source and receiving system for critical information?

12.26 Is there a system of periodic reconciliation between Sub databases and the GL Databaseof the bank?

12.27 In cases where data is migrated from one system to another has the user department

verified and satisfied about the accuracy of the information migrated?

Is there a formal data migration report?

12.29 Are there entries directly made to the back end databases? If they are made under

exceptional circumstances, is there a system of written authorization?

12.30 If entries in the database are updated / deleted due to any exceptional circumstances (e.g.

during trouble shooting, etc.), are they approved in writing and recorded?Administration and House Keeping

12.31 Does the System Administrator periodically review the list of users to the database? Isthe review documented?

Are inactive users deactivated?

Is there back up schedule?

1Are databases periodically retrieved from the back up in test environment and

accuracy ensured with the physical environment?

12.35 Are senior personnel from the user department involved in testing backup retrieval?

12.36 Is there periodic purging / archival of databases?

13. NETWORK MANAGEMENT

PROCESS13.1 Is there an Information Security guidelines document, which defines the minimumconfiguration for any device/link on the banks network, including levels of encryption?

13.2 Are all platforms/links/devices in compliance with the guidelines? If not, has an

appropriate level of management reviewed the non -compliant parts of the network toensure that the risk levels are acceptable?

13.3 For all items supported by external vendors, does the vendor or the manufacturer verify

that all cryptographic functions in use by the product/service, such as encryption,message authentication or digital signatures, use Corporate IT Department approved

cryptographic algorithms and key lengths.

13.4 Wherever applicable, whether background and reference checks for both internal and

outsourced vendor staff who perform security-related functions for the product/serviceunder review are carried out. This includes job applicants who have accepted a job offer,

temporaries, consultants, full time staff as well as the outsourced vendor who is involved

in product/service management and operations.

RISK ACCEPTANCE (deviation)

13.5 Does the Bank have a Risk Acceptance process wherein all the identified risks are

documented and approved for any non-compliant issue that cannot be remedied andwhere effective compensatory controls exist?


11/24

AUTHENTICATION

13.6 Does the product/service authenticate (verifies) the identity of users (or remote systems)

prior to initiating a session or transaction? Have these Authentication mechanisms beenapproved by then Banks IT Department? (These include Personal Identification

Numbers (PINs), passwords (static and dynamic), public keys and biometrics.)

13.7 Does the Bank verify that the initial authentication has used a mechanism that isacceptable for the application? Has the approach been approved by IT Department and

required compensating controls have been implemented?

Passwords

13.8 Does the Bank have a comprehensive password construction, implementation and

management policy?

Personal Identification Numbers (PINS)

13.9 Does the Bank have a policy for the Personal Identification Numbers, used by various setof customers who access the Banks systems directly using channels like ATM, Phone

banking, Internet banking, Mobile banking etc?

Dynamic Passwords :

13.10 Do the Products/services using dynamic passwords for authentication, use an ITDepartment approved authentication server to validate the password?

Public Key Infrastructure (PKI):

13.11 Do the Products/services using Public key (or asymmetric) cryptography for

authentication either on a session basis (peer authentication) or on a permessage/

transaction basis (digital signatures) use approved security protocols to comply

with the Public key technology standard?13.12 For products/services that use PKI, private keys which are stored in hardware or

software

must be protected via an approved mechanism. The protection mechanism includes userauthentication to enable access to the private key.

13.13 For products/services that use PKI, an approved process for verifying the binding of a

user identity to the public key (e.g., digital certificate) is required for any server relyingon public key authentication.

Biometrics Authentication:

13.14 Do the Products/Services utilizing biometrics authentication only use biometrics forlocal

authentication?

ACCESS CONTROL

13.15 Is the access to highly privileged IDs (e.g., system administration access) strictlycontrolled, audited and limited in its use?

13.16 Does the product/service support the need to perform a periodic entitlement review? A

periodic entitlement review process should validate access privileges.13.17 Does the product/service support the requirement to limit individual user sessions to a

maximum of X minutes of inactivity using either session time out or a password

protected screen saver.Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 52

13.18 Is there a process in place to ensure that access rights reflect changes in employee or job

status within X hours of the change? This includes physical access tokens and dial-incapabilities as well as any systems or applications.


12/24

13.19 Does the product/service supports the ability to disable external customer user IDs after

X months of inactivity and deleted after Y months of inactivity unless they are extended

through the explicit written approval of the business.13.20 For any products/services, which has been outsourced, Is there a process in place to

ensure that all platforms, services and applications are configured to meet Banks

Information Security Standards?13.21 Does the product/service display the (A) date and time of last successful login and (B)

the

number of unsuccessful login attempts since the last successful login.13.22 Does the product/service support a periodic process to ensure that all user IDs for

employees, consultants, agents, or vendors are disabled after X days and deleted after Y

days from the day they were not used unless explicitly approved by the business.

CRYPTOGRAPHY

13.23 Is there a cryptography/encryption policy for various types of classified information that

travels/gets stored within and outside the Banks network(s)?

NETWORK INFORMATION SECURITY

13.24 Have the Network data monitoring tools (e.g., sniffers, datascopes, and probes) utilizedby the product/service been approved by the Banks IT Department?

13.25 Is the approved Legal Affairs banner being displayed at all entry point where an internaluser logs into the product/service? An automated pause or slow roll rate is in place to

ensure that the banner is read. The Legal Affairs Banner usually carries the following

kind of text:


You are authorized to use this system for approved business purposes only. Use for any

other purposes is prohibited. All transactional records, reports, e-mail, software and otherdata generated or residing upon this system are the property of the Company and may be

used by the Company for any purpose. Authorized and unauthorized activities may be

monitored.NOTE: This is required for all mainframe, mid-range, workstation, personal computer,

and network systems.

13.26 Has dial-in connectivity been prohibited on network-connected machine (server and

workstation) except where documented and explicitly approved in writing by BusinessManagement and the IT Department. When explicitly approved, the modem must, as a

minimum control, prohibit answer or pickup until after the 5th ring.

13.27 Have the remote control products used in a dial in environment been approved by the ITDepartment explicitly?

13.28 Is it ensured that only software (applications / operating systems etc.) supported by the

vendors only are used? (Unsupported software could be vulnerable to attacks since the

vendors would not come up with the relevant patches)13.29 Is the Anti-Virus software configured to check viruses even from the floppy drive / CD

ROM drive?

E-MAIL AND VOICE MAIL RULES AND REQUIREMENTS

13.30 Is there a policy that covers e-mail & voice mail transmission of data?

13.31 Whether there are procedures, which require that all the incoming e-mail messages be

scanned for virus to prevent virus infection to the Banks network?13.32 Whether all e-mails are identified with a users name or e-mail ID to facilitate tracking?


13/24

Whether e-mail ID allotted to a user is prevented from being used by another user?


13.33 Ensure that users do not forward the e-mail messages automatically without prior

approval.

13.34 Whether there are procedures to ensure that users do not send confidential or sensitiveinformation via e-mail? Whether the information transmitted through e-mail is

encrypted?

13.35 Whether all e-mails sent and received by employees via Banks network are treated as

Banks records? Is there procedure to monitor them?

INFORMATION SECURITY ADMINISTRATION

13.36 Is there an approved document clearly outlining the Information Security

Administrators(ISA) responsibility?

13.37 Are all the administrative actions (e.g., adding/deleting users, changes to

entitlements/passwords) backed up by an independent review?13.38 Does the ISA function review all security audit logs, incident reports, and on-line reports

at least once per business day?

13.39 In case of Wide Area Networks (WAN), are the router tables maintained securely inRouters?

13.40 Are router login IDs and passwords treated as sensitive information and managed by

authorised administrators?

13.41 Are all changes to router table entries logged and reviewed independently? Are accessviolations taken note of, escalated to higher authority and acted upon in a timely manner?

13.42 Is there a process to report all unusual or suspicious activity? (Reporting to IT

Department, investigating immediately, and bringing the case to closure without delay)?13.43 Does the ISA function assess compliance with their security procedures quarterly and

reports their results to the IT Department?


13.44 Have all the all security related administrative procedures under the control of the ISA

been documented and approved by management (annual exercise)? At minimum

procedures should include:Information Ownership

Data Classification

User registration/MaintenanceAudit Trail review

Violation logging and reporting

Sensitive activity reporting

Semi-Annual Entitlement ReviewsPassword resets

Escalation reporting

MICROCOMPUTER/PC SECURITY

13.45 Does the LAN servers, mail servers, and microcomputers have IT Department approved

anti-virus products installed?

13.46 Are all product/service specific microcomputers/PCs secured against removal and theftcommensurate with the value of the computer and information it holds along with a


14/24

process to report any thefts to the IT Department?

13.47 Are microcomputers / PCs having sensitive information protected with power on

password to prevent unauthorised access?13.48 Are sensitive data in such microcomputers / PCs backed up and preserved properly with

records to ensure recovery in case of failure?

Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 56AUDIT TRAILS

13.49 Does the audit trail associate with the product/service support the ability to log and

review all actions performed by systems operators, systems managers, system engineers,system administrators, highly privileged accounts and emergency IDs?

13.50 Does the financial transactions as well as additions, changes and deletions to customers

demographic data/important statistics, get recorded in the product/service audit trail?13.51 Does the audit trail for product/service record all identification and authentication

processes? Also Is there a retention period for the Audit trails

13.52 Does the audit trail associate with the product/service log all actions by the ISA?13.53 Is there a process to log and review all actions performed by systems operators, systems

managers, system engineers, system administrators, security administrators, and highly

privileged IDs.13.54 Is there a process in place to log and review actions performed by emergency IDs

associated with the product/service?

VIOLATION LOGGING MANAGEMENT

13.55 Whether the product/service is capable of logging the minimum criteria specified to logand report specific security incidents and all attempted violations of system integrity

13.56 Are the product/service owners aware of their responsibilities with respect to Security

incident reporting?

INFORMATION STORAGE AND RETRIEVAL

13.57 Has all the media (File/Floppy/Disks etc) under the control of the product/service owner

been marked with the classification and securely stored with access restricted toauthorized personnel only?


13.58 Is there a process in place to ensure that all media under the control of theproduct/service

owner containing critical information is destroyed in a manner that renders it unusable

and unrecoverable?13.59 Is there a procedure in place that enforces and maintains a clean desk program, which

secures all critical information from unauthorized access?

PENETRATION TESTING

13.60 Is it ensured that products/services that use the Internet for connectivity orcommunications have undergone a successful penetration test prior to production

implementation?

13.61 Is there a penetration test process that ensures whether modifications to theproduct/service that uses the Internet for connectivity or communication have been

reviewed to determine whether a subsequent penetration test is warranted?

13.62 Is there an intrusion detection system in place for all the external IP connections?

14. Maintenance


15/24

Maintenance will include the following: -

1. Change Request Management and version control

1.1. Software developed in-house1.2. Software purchased from outside vendor

2. Software trouble shooting

3. Backup and recovery4. Hardware maintenance

5. Training


Wherever Application Service Provider, who owns the Hardware and maintains the OS/

application software, processes the data for the User, detailed Service Level Agreement should

cover entire maintenance.

Change Request Management and Version Control

Software developed in-house

14.1 Check whether requests for changes are initiated by users in a structured change requestform (CRF) with pre-printed numbers.

14.2 Are these change requests inwarded in a manual / electronic register with CRF number

before initiating the change.14.3 Are the change requests subjected to feasibility study?

14.4 Verify whether the change request is approved by the Management before effecting the

changes in the software and the same is recorded on the CRF.

14.5 Verify whether the changes are made only in the test environment and not in the liveenvironment (separation of test and production libraries).

14.6 After making changes, are they tested adequately before implementation (unit testing,

integrated testing, regression testing, etc.)? All these testing procedures should happenonly in the test library.

14.7 Once the programs are ready after testing, are they approved by a senior programmer /

Departmental Head? Are such approvals recorded on the CRF?14.8 After approving the changes, are the changed programs transferred to production library

by an independent person who does not have programming / development

responsibilities?

14.9 Does the production library have both sources and executables of the latest version of theprograms?


14.10 Check whether the programmers are not given access in the production library.

Similarly, check whether the access to the test library is restricted to programmers only.

14.11 Verify if the changes are updated in the user, technical, operations and all other relevant

manuals to reflect the current state of the software. Is the CRF updated to this effect?14.12 Verify if implementation guidelines are prepared by the programmers for properly

implementing the changes in the user sites. Are they approved?

14.13 Verify if the changes are implemented at the Users sites in accordance with theimplementation guidelines. Is the CRF updated to this effect?

14.14 After completing all these steps, is the open entry in the change request register rounded

off for the relevant CRF number, to bring it to a logical conclusion?14.15 Is the completed CRF filed along with the system documents?


16/24

14.16 Are there procedures to review and monitor all the pending change requests and initiate

timely action to resolve the same.

Version Control

14.17 Verify the procedure of roll out of software to the Users sites. Check who is creating the

executables from the changed source code for implementation in the user sites? Ensure

that that such person(s) is / are independent of development activities.14.18 Verify if the access to the compilers is restricted to only authorised persons who are

empowered to create the executables from the source code.

14.19 Check whether identity of different programs is maintained between any two softwarerelease and each release contains all the changes to different programs from the previous

release.

14.20 Check whether each release is given a version number.


14.21 Verify if proper records are maintained to reflect the different version numbers of the

software, their composition and location. The latest version should be easilydifferentiated when compared with the older versions.

14.22 If possible, take the latest version of any one program in the test library and arrange to

compile the same to arrive at the new exe file. Note down the byte size of the new exefile and compare whether the byte size of the exe program in the live area in the user site

is the same as the size noted.

14.23 If multiple User sites are there, verify the control mechanism to ensure whether the same

software is being implemented in all such user sites.14.24 If there are exceptions to certain Users, verify if those exception modules of the software

are kept in the central control library from where the software is rolled out.

14.25 Verify if there are any register/database containing the information about which site haswhich version.

14.26 Check and ensure if backup of all versions of the software are held both onsite and

offsitein fire resistant cabinets with proper records.

Software procured from outside vendor

14.27 Verify if there is Annual Maintenance Contract for software and check whether it is

currently in force.14.28 Check if requests for changes are initiated by users in a structured change request form

(CRF) with pre-printed numbers.

14.29 Verify if the change request is approved by Management before asking the vendor toeffect the changes in the software.

14.30 Are these change requests (CRFs) inwarded in a manual / electronic register before

sending it to the vendor for their making changes.


14.31 For all the changes effected and implemented by the vendor, check whether release notes

have been provided for all such patches / releases. If so, does the release notes given bythe vendor contain the CRF number submitted by the Bank.

14.32 Check whether the release notes have been circulated to all the users.

14.33 Check whether the open entry in the inward register having the CRF number attended bythe vendor is rounded off to reflect the latest pending position.


17/24

14.34 Check whether the vendor has updated the users and operations manuals to reflect the

current state of the software and delivered the same to the Bank.

14.35 Check the procedure for marking off the entries in the inward register for CRFsmaintained at CPPD/ IT and ensure whether the current list of outstanding requests are

complete and accurate.

14.36 Is there procedure to review and monitor all the pending change requests and initiatetimely action to get the same resolved by the vendor in a time-bound manner.

14.37 Verify Service Level Agreement (SLA) with the vendor. Does it lay down the basis of

billing, say, based on x number of lines of coding or based on y man hours of effort,etc. Check whether the billing made by the vendor is in accordance with the SLA. Test

check whether the billing raised is accurate.

14.38 Does the SLA have penalty clause for delay on the part of the vendor to deliver the

changes after submitting the CRF? If so, for any delays on the part of the vendor, doesthe Bank invoke the penalty clause and charge penalty?

14.39 Verify if any escrow arrangement exists for the source code. If so, check who is the

escrow party and inspect their site and check whether a copy of the latest version of the

source code is stored there in proper condition with records.14.40 Check whether one copy of full set of the latest documentation of the software is also

kept with the source code in the Escrows location.Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 62

14.41 Check and ensure that Escrow party cannot have unilateral access to the source code and

documentation without the knowledge of the software vendor and the Bank.14.42 Check and ensure if backup of the latest version of the software provided by the vendor

is

held both onsite and off-site in fire resistant cabinets with proper records.

Software Trouble Shooting

Help Desk

14.43 Check if user calls are logged in a register (manual or electronic) in the Help Desk with aunique identification number for each call. Preferably, the numbering should be serial and

unique for each user site.

14.44 Is this number recorded in a Help Desk register in the users site with nature of the call,

date and time of call?14.45 Does the Help Desk register in the user site reflect all the call identification numbers

serially without any missing number in between?

14.46 Is the date and time of resolving the trouble recorded in the Help Desk register? Does itcorrespond and tally with the records maintained at the Help Desk?

14.47 Are the calls attended to in a timely manner?

14.48 Does Help Desk issue call sheet with solution given duly signed by the user?

14.49 If the trouble shooting is attempted by the Help Desk personnel remotely, check whetherany sensitive password was divulged by the user to the Help Desk. This should have been

recorded in the Help Desk register both at user site and at Help Desk.

14.50 If sensitive password is revealed to the Help Desk, check the system and application logsand ensure whether the changes made are appropriate to the trouble reported by the user.

14.51 Check whether command log is printed and submitted to the user site, duly signed by the

Help Desk official and authenticated by the Help Desk in-charge.Checklists for IS Audit Committee on Computer Audit


18/24

RBI, DBS, CO 63

File / Data reorganisation

14.52 If the software works on a RDBMS, check whether file / database reorganisation iscarried out at the user site timely to avoid any processing error.

14.53 If any addition to datafile / tablespace is made, are they approved and in accordance with

the software implementation guidelines.14.54 If operating system / database fine tuning is carried out, are they documented in the error

log / Help Desk register.

14.55 As most of these activities require sensitive passwords, does the usage of the same

recorded in the password usage register duly signed by the support personnel and user.14.56 Verify the command logs and ensure that the command and command results are

appropriate to file / database reorganisation / fine tuning, etc.

14.57 Verify if due to O/S upgrades any constraint is there in the application software.14.58 Verify if the interface software is properly tested and implemented if the User is using 2

or 3applications and data is transmitted through this interface application

Backup and recovery

Software

14.59 Verify if a latest copy of backup of software (Operating System, RDBMS, application,

etc.) is taken and preserved at the user site.Data

14.60 Verify if different types of data backup are taken periodically at specified intervals as

advised by the software developer / vendor.

14.61 Are there proper records for noting the media in which different data backups are stored,data type, location where it is stored, date of backup, due date for recycle, etc.


14.62 Is one copy of data backup kept in an offsite location with proper records?

14.63 Does the database / system administrator at the user site carry out restoration testing of

these backups periodically? Is it recorded and authenticated?14.64 Are users involved in such restoration testing ?Purging of data

14.65 Verify if there is an archival policy and data housekeeping is as per this policy.

14.66 Verify if this archival data can be read as and when required14.67 Verify if these archival data is stored in safe place.

14.68 Verify if archived data is deleted from the current running system.

14.69 Verify if the printed reports are deleted from the system.

Hardware maintenance

14.70 Verify if there is any Service Level Agreement between the hardware vendor and

CPPD /

IT Department.14.71 Check and ensure that the AMC with the vendor for maintenance of hardware

equipments is active and currently in force.

14.72 Verify if the network diagram is available at the user site.14.73 Does the user site have the names and photographs of the service personnel and are they

identified by the users before allowing them to handle the hardware.

14.74 Verify if the hardware inventory is maintained at the user site. Ensure whether thephysical stock of hardware items matches with the hardware inventory.


19/24


14.75 Verify if the hardware maintenance register is maintained, with full details such asnature

of trouble, date and time of reporting, name of the vendor, Engineers name, date and

time of resolution, signature of DBA, signature of Engineer, Initials of Head of the usersite.

14.76 Verify if there is a databank of malfunctions of hardware. If so, examine whether similar

types of hardware errors are recurring. Check the steps taken by the users / CPPD / IT to

arrest this trend.14.77 In case hardware are taken by the vendors for servicing / repair, does the user site ensure

that the equipment does not contain sensitive live data.

Training

14.78 Verify if the Users are given adequate training on the application systems functionalities

14.79 Verify if the Technical persons are given adequate training in the technical details of the

application system, to provide necessary trouble shooting / help to users.14.80 Verify if the Users are aware of the steps to be carried in case of contingency due to

nonavailability

of systems.Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 66

15. Internet Banking

Information Systems Security Framework

15.1 Is there a security policy duly approved by the Board of Directors? Is there segregation of

duty of Security Officer/Group dealing exclusively with information systems security and

Information Technology Division which actually implements the computer systems? Isthe role of an Information Security Officer independent in nature?

15.2 Is the role of an information system auditor independent in nature? (It should be

independent of Operations and Technology Unit)15.3 Bank should ensure that Information Systems Auditor forms part of their Internal AuditTeam.

15.4 Bank should acquire tools for monitoring systems and the networks against intrusions and

attacks. These tools should be used regularly to avoid security breaches. Bank shouldreview their security infrastructure and security policies regularly and optimize them in

the light of their own experiences and changing technologies. They should educate their

security personnel and also the end-users on a continuous basis.15.5 Bank should subscribe for the Systems Alerts/Patches. Information Systems Auditor

should ensure that all vulnerable patches are applied on a periodic to prevent outsiders

exploiting the Banks systems.

15.6 Under the present legal requirements there is an obligation on Banks to maintain secrecyand confidentiality of customers accounts. In the Internet banking scenario, the risk of

Banks not meeting the above obligation is high on account of several factors. Despite all

reasonable precautions, banks may be exposed to enhanced risk of liability to customerson account of breach of secrecy, denial of service etc., because of hacking/ other

technological failures. Does the bank, therefore, institute adequate risk control measures

to manage such risks?Checklists for IS Audit Committee on Computer Audit


20/24

RBI, DBS, CO 67

15.7 In order to address the risk of liability to customers on account of breach of secrecy,

denial of service etc., does the Bank follow a privacy policy?15.8 Some of the indicated areas which all Banks need to include as part of the Privacy Policy

is given below

- Banks should safeguard, according to strict standards of security and confidentiality,

any information customers share with them.- Banks will not reveal customer information to any external organization unless they

have previously informed the customer in disclosures or agreements, have beenauthorized by the customer, or are required by law or our regulators.

- Whenever Banks hire other organizations to provide support services, they should

require them to conform to our privacy standards and to allow us to audit them for

compliance.

Web Server

15.9 Is the web server configured to be a stand-alone unit without any membership to any

domain inside the Banks IT architecture?15.10 Ensure whether the web server is ported with latest versions of patches and service

packs.

Specifically, the OS vendor releases patches and service packs with appropriate fixes toprevent Denial of Service attack. These should have been applied to prevent such attacks

on the web server.

15.11 All security settings applicable to the operating system in which the web server operatesshould have been implemented as per IT security policy. Check and ensure this.

15.12 With regard to Super User account :-

- Check whether the super user account in the web server is enabled for login only on

the system console and not from across the network. Perhaps this is applicable to all

user accounts in the web server.Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 68

- Check if appropriate parameters are implemented in the operating system of the web

server so that the super user account will lock out if too many unsuccessful attemptsare made across the network, but remain unlocked at the system console.

15.13 Check if sensitive operating system related executable program files and data files on the

web server are not stored on public area but in any other secure location with audit duly

enabled.15.14 IP routing should be disabled in the web server. Check and confirm this.

15.15 Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside the web

server. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet, etc. arenot installed and active on the web server.

15.16 The facility to shutdown the machine should be restricted to the system console on theweb server. Check and ensure this.15.17 Access to floppy drive, CD-ROM drive, etc. should be restricted in the web server to

interactive only to prevent these devices from being shared by all processes on the

system. Check and ensure this.

Logs of activity

15.18 Ensure that auditing is enabled in the web servers operating system and whether the

logs


21/24

are reviewed and authenticated by authorized officials periodically.

15.19 Check if audit trail is enabled on the firewall to log the changes made to the rule base

settings and verify whether the logged entries are approved by higher authorities in the ITDepartment.

15.20 Whether the system administrators are monitoring the logs produced by the Intruder

Detection System (IDS) (An intrusion detection system helps in recognizing Securitythreats and is capable of scanning packets for vulnerabilities. It ensures that distributed

denial of service attacks are prevented) and escalating the access violations to the


attention of senior management in IT department for guidance. Are these documented

and appropriate corrective actions taken?

15.21 Check whether audit trails are enabled for administration activities and whether entrieslogged in the audit trail are in accordance with process flow chart and no unauthorized

activity has been carried out.

De-militarized zone and Firewall

15.22 Are all Internet connections are routed through a Firewall? Does a dedicated team

manage the Firewall? Are the ports opened only on a "need to have" basis?

15.23 Is there an Intruder Detection System (IDS) implemented?15.24 Are the application and database servers kept separated from the web server in the

demilitarized

zone?

15.25 Is the de-militarized zone separated from the Internet cloud by means of a Firewall?(Firewall procurement should be through an approval mechanism, which ensures that

only firewalls of highest standards are procured).

15.26 If the de-militarized zone is connected to the Intranet within the Bank, it should beseparated by a Firewall. Check and ensure the same.

15.27 Check whether the Firewall rule base is treated as a sensitive information and knowledge

of the same is restricted to only authorized officials in the IT / Computer operationsdepartment.

15.28 Ensure that the decision to open specific firewall ports/rule base is approved in

accordance with IT Security Policy (IT Security Policy should list out such ports) e.g.

firewalls should block unwanted ports running services such as ftp, telnet, SMTP, etc.into the de-militarized zone. Ideally, only http and https ports are allowable. Check and

verify this.


Security Review of all Servers used for Internet Banking

15.29 Carry out a Operating System Security review on all the servers used for internet

bankingapart from web server as stated in (I) above and ensure that all security parameters have

been properly set as per Security Policy.

Database and System Administration

15.30 Has the Bank designated a Database Administrator with clearly defined roles?

15.31 Has the Bank designated System Administrator(s) with clearly defined roles?

15.32 Check whether process flow of administration activities is documented and approved bythe Head of Operations and whether the administrators are conversant with the process


22/24

flow.

15.33 Carry out an application control review of the administration module and ensure whether

the functionality as described in the process flow document are adequately met by themodule.

15.34 Examine who has access to the Super User account in the administration module?

Examine the procedures for custody and usage of this password and records maintainedfor the same. Are all usages recorded by the administrator authenticated by appropriate

authority.

15.35 Obtain a list of all administrator accounts in the administrators module and checkwhether all are attributable to personnel doing the administration job. Extraneous admin

IDs should be identified and reported for deletion.

15.36 Check whether the menu options in the admin module are assigned to different

administrators on need to know basis, based on functionality offered by the menu optionsand the work allotment made to the administrator.


15.37 Obtain the list of menu options in the Internet banking module for customers and

whether

such menu options are assigned to user (customer) IDs only as per their request and asper the policy of the Bank.

15.38 Pay particular attention to user (customer) IDs, which are provided with third party funds

transfer facility on the Internet and verify whether they are backed by proper customer

request in writing.15.39 Does the Bank have proper infrastructure and schedules for backing up data? Is the

backed-up data periodically tested to ensure recovery without loss of transactions in a

time frame as given out in the banks security policy? Is Business Continuity ensured bysetting up disaster recovery sites? Are these facilities tested periodically?

15.40 Check the procedure for creation of different user accounts for the customers for usage

onthe internet and whether they are backed by valid customer request for such facility.

Operational Activities

15.41 Considering the legal position prevalent, is it ensured that the Banks not only to establish

the identity but also to make enquiry about integrity and reputation of the prospectivecustomer? Therefore, is it ensured that even though request for opening account can be

accepted over Internet, accounts are opened only after proper introduction and physical

verification of the identity of the customer? Is there a Legal Contract with the customer inplace covering the risks of communicating using the Public Network?

15.42 Pay particular attention to customers whose constitution is other than individual,

particularly corporate accounts and check whether appropriate account opening

documentation have been submitted by such customers for internet banking.15.43 Check if any customer is provided with multiple user IDs, if he/she is not a joint account

holder, but only single.


15.44 Any account linkage activity should take place only after ensuring that the user accounts

are created based on valid customer requests.15.45 Check if user-IDs are linked to multiple bank accounts. If so, verify whether such


23/24

accounts pertain to the same customer only.

15.46 Check the procedure for enabling the customer user ID on the internet and verify

whetheradequate precautions are taken by the operations personnel to identify the customer

before enabling. Account enablement process should be decided and signed off before

product launch. Entire process should be auditable and audit trails should be enabled forthe same (Each Bank can decide whether they can pre-enable or post-enable the user

accounts based on their policy).

15.47 Check the procedure for creation of new password for customers who report havingforgotten the password. Verify the procedure for ensuring the identity of the customer

before creating the new password.

15.48 Verify whether adequate records (either electronic or manual) are maintained for the

customer user IDs created, enabled, new passwords provided, etc. and whether they areauthentic. Test check the instances of change of customers passwords and whether they

are backed by valid customer requests.

15.49 Do all applications of banks have proper record keeping facilities for legal purposes? It

may be necessary to keep all received and sent messages both encryptedApplication Control Review of Internet Banking Application15.50 Does the software allow creation of user-IDs in the same name more than once?15.51 Does the software encrypt the passwords one way and store the same in encrypted form

in the database?

15.52 Does the software display the password as it is keyed in? (It should not be displayed on

the screen).Checklists for IS Audit Committee on Computer AuditRBI, DBS, CO 73

15.53 Does the software lock the user-id if it is used for X unsuccessful times to logon to thesystem?

15.54 Does the software force the User to change the password at set periodical intervals?

15.55 Does the software maintain password history i.e., the same password should not be usedagain on rotation basis.

15.56 Check whether the software logs the instances of change of users (customers) password

in the audit trail?

15.57 Does the software allow automatic logical deletion of inactive user IDs after certainperiod of time?

15.58 Does the system maintain password length to be of minimum 6 or 8 characters or as the

case may be with combinations of alpha, numeric and special characters?15.59 Check whether the menu options available on the web page for a customer after logging

on to the system provide only appropriate functionality as designed and no deviation is

possible.

Application Security15.60 Is the Security infrastructure properly tested before using the systems and applications

for

normal operations? Following needs to be taken care of for ensuring that Securityinfrastructure is tested properly before using the systems and applications:

As part of the System Development Life Cycle (SDLC), during the developmentstage an Information Security Review needs to be conducted covering the entire

system and architecture review


24/24

Comprehensive Information Security related checks needs to be conducted during

the Coding & Testing stage

On completion of User Acceptance testing (UAT), all Internet related systems orapplications needs to be penetration tested by an independent party.

Checklists for IS Audit Committee on Computer Audit

RBI, DBS, CO 74 Banks should enter into an Agreement with the independent party who conducts

the penetration testing covering both Legal and Contractual terms.

15.61 Following should be covered as part of penetration tests / vulnerability tests: -1. Check for following common vulnerabilities :

- IP Spoofing

- Buffer overflows

- Session hijacks

- Account spoofing

- Frame spoofing

- D-DoS attacks

-Caching of web pages

- Cross-site scripting

- Cookie handling

2. As per RBIs guidelines PKI (Public Key Infrastructure) is the most favouredtechnology for secure Internet banking services. Since Government & RBI is in the

process of identifying a PKI service provider, it may take some time to implement

PKI in all the Banks. However, as it is not yet commonly available, does the bank usethe following alternative system during the transition, until the PKI is put in place:

- A static ID and password login process.

- Usage of SSL (Secured Socket Layer), which ensures server authentication and

use of client side certificates issued by the Banks themselves using a Certificate

Server.- The use of at least 128-bit SSL for securing browser to web server

communications and, in addition, encryption of sensitive data like passwords in

transit within the enterprise itself.

----@------

post implementation issues

Documents